Wednesday, February 15, 2012

Windows Azure and ACS - CryptographicException: Key not valid for use in specified state

My technical architect asked me to work on windows Azure access control service and configure ACS for ADFS. After following all the steps on Azure management portal such as configuring identity provider, adding relying party; it was time for me to add STS reference in my azure web role. If you don’t know click - how to add STS reference.

I added the STS reference in my web role and pressed F5 to start debug. And I got difficult exception mentioned below –

CryptographicException: Key not valid for use in specified state.

InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false.

I don’t understand why I always face very odd issues. Anyways, following is the description about solution to the above mentioned error.

By default when we say Add STS reference, we are talking about Windows Identity foundation. WIF is configured to use DPAPI to encrypt your cookies which won’t work in Azure applications. This occurs because the DPAPI stores the key data in user profiles. If the profile is not loaded, DPAPI won’t be able to perform the decryption. This would mean that a cookie created by one server (or web role instance in case of Azure) would not be readable by another server or web role instance. To solve this problem you should use a cookie encryption mechanism that uses a key shared by all the web role instances. To overcome this problem we have to use RsaEncryptionCookieTransformto encrypt your cookies instead of DPAPI. WIF training kit has an excellent lab which shows how you can use it. Link is as follows - http://msdn.microsoft.com/en-us/gg557891

Look for point number 23. It shows what code we need to use to overcome key not valid problem. So with respect to above mentioned link, I wrote following code in my global.asax.cs file –

So uncomment <serviceCertificate> tag. Now above statement says that, find the respective certificate in LocalMachine – My store. So you need to add the respective certificate in My store of local machine. When you open Run window – and type “certmgr.msc”; certificate store for CurrentUser is opened and not for LocalMachine is opened. So make sure that you must add certificate in Local machine My store. For detailed steps click - adding certificate in LocalMachine my store.

Also make sure that, you need to add same certificate in ACS on azure management ACS portal under “Certificates and Keys” menu – “Service Namespace” Type X.509 Certificate as shown below –

Followers

About Me

I am Kunal Chandratre. Working as Cloud Solution Architect @Microsoft. My speciality is Microsoft Azure Cloud platform.
Awarded as Most Valuable Professional (MVP) in Microsoft Azure for consecutive 3 years. Passionate speaker, trainer...In free time (which I don't get usually)I write blogs and answers the forum questions. I was doing it just for timespass but now I have got addicted to blogging...Apart from work, I do variety of things which I can't tell here:).. I am trekker, singer, actor, painter, f1 racer, super hero in my dreams.. ...and now trying my luck with technologies...Keep posting...

Visitors

Disclaimer:

The information shared in this blog is the result of my personal experience with various technology platforms. In no way it represents the company I work for.
The information provided here is "AS IS" with no warranties, and confers no rights. This blog does not represent the thoughts, intentions, plans or strategies of my current employer or past empolyers or any other forums or community I belong to. It is fully my own opinion. Inappropriate comments will be deleted at the authors discretion. All code samples are provided "AS IS" without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.I have full rights to edit/modify/delete any content of this blog without any prior notice to public/followers/RSS readers of this blog.